<HTML
><HEAD
><TITLE
>Creating a user</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.63
"><LINK
REL="HOME"
TITLE="The Linux System Administrator's Guide"
HREF="index.html"><LINK
REL="UP"
TITLE="Managing user accounts"
HREF="c2318.html"><LINK
REL="PREVIOUS"
TITLE="What's an account?"
HREF="x2324.html"><LINK
REL="NEXT"
TITLE="Changing user properties"
HREF="x2424.html"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>The Linux System Administrator's Guide: Version 0.7</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="x2324.html"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 11. Managing user accounts</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="x2424.html"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2331"
>11.2. Creating a user</A
></H1
><P
> The Linux kernel itself treats users are mere numbers.
	Each user is identified by a unique integer, the <I
CLASS="GLOSSTERM"
>user
	id</I
> or <I
CLASS="GLOSSTERM"
>uid</I
>, because numbers are
	faster and easier for a computer to process than textual names.
	A separate database outside the kernel assigns a textual name,
	the <I
CLASS="GLOSSTERM"
>username</I
>, to each user id.  The database
	contains additional information as well.  </P
><P
> To create a user, you need to add information about
	the user to the user database, and create a home directory for
	him. It may also be necessary to educate the user, and set up
	a suitable initial environment for him.  </P
><P
> Most Linux distributions come with a program for
	creating accounts. There are several such programs available.
	Two command line alternatives are <B
CLASS="COMMAND"
>adduser</B
>
	and <B
CLASS="COMMAND"
>useradd</B
>; there may be a GUI tool as well.
	Whatever the program, the result is that there is little if
	any manual work to be done. Even if the details are many and
	intricate, these programs make everything seem trivial.  However,
	<A
HREF="x2331.html#MANUAL-ADDUSER"
>Section 11.2.4</A
> describes how to do it by hand.
	</P
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN2342"
>11.2.1. <TT
CLASS="FILENAME"
>/etc/passwd</TT
> and other informative 
files</A
></H2
><P
> The basic user database in a Unix system is the text file,
	<TT
CLASS="FILENAME"
>/etc/passwd</TT
> (called the <I
CLASS="GLOSSTERM"
>password
	file</I
>), which lists all valid usernames and their
	associated information. The file has one line per username,
	and is divided into seven colon-delimited fields:

	<P
></P
><UL
><LI
><P
>Username.</P
></LI
><LI
><P
>Password, in an encrypted form.</P
></LI
><LI
><P
>Numeric user id.</P
></LI
><LI
><P
>Numeric group id.</P
></LI
><LI
><P
>Full name or other description of 
account.</P
></LI
><LI
><P
>Home directory.</P
></LI
><LI
><P
>Login shell (program to run at 
login).</P
></LI
></UL
>

	The format is explained in more detail on the
	<TT
CLASS="FILENAME"
>passwd</TT
> manual page.  </P
><P
> Any user on the system may read the password file,
	so that they can, for example, learn the name of another user.
	This means that the password (the second field) is also available
	to everyone. The password file encrypts the password, so in
	theory there is no problem.  However, the encryption is breakable,
	especially if the password is weak (e.g., it is short or it can
	be found in a dictionary).  Therefore it is not a good idea to
	have the password in the password file.  </P
><P
>	Many Linux systems have <I
CLASS="GLOSSTERM"
>shadow passwords</I
>. 
This is
	an alternative way of storing the password: the encrypted
	password is stored in a separate file, 
<TT
CLASS="FILENAME"
>/etc/shadow</TT
>,
	which only root can read. The <TT
CLASS="FILENAME"
>/etc/passwd</TT
>
	file only contains a special marker in the second field.
	Any program that needs to verify a user is setuid, and
	can therefore access the shadow password file. Normal
	programs, which only use the other fields in the password
	file, can't get at the password.
	
		<A
NAME="AEN2369"
HREF="#FTN.AEN2369"
>[1]</A
>

	</P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN2372"
>11.2.2. Picking numeric user and group ids</A
></H2
><P
> On most systems it doesn't matter what the numeric user
	and group ids are, but if you use the Network filesystem (NFS),
	you need to have the same uid and gid on all systems. This
	is because NFS also identifies users with the numeric uids.
	If you aren't using NFS, you can let your account creation tool
	pick them automatically.  </P
><P
> If you are using NFS, you'll have to be invent a mechanism
	for synchronising account information. One alternative is to
	the NIS system (see XXX network-admin-guide).  </P
><P
> However, you should try to avoid re-using numeric uids
	(and textual usernames), because the new owner of the uid (or
	username) may get access to the old owner's files (or mail,
	or whatever).  </P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN2377"
>11.2.3. Initial environment: <TT
CLASS="FILENAME"
>/etc/skel</TT
></A
></H2
><P
> When the home directory for a new user is created, it is
	initialised with files from the <TT
CLASS="FILENAME"
>/etc/skel</TT
>
	directory.  The system administrator can create files in
	<TT
CLASS="FILENAME"
>/etc/skel</TT
> that will provide a nice
	default environment for users.	For example, he might create a
	<TT
CLASS="FILENAME"
>/etc/skel/.profile</TT
> that sets the EDITOR
	environment variable to some editor that is friendly towards
	new users.  </P
><P
> However, it is usually best to try to keep
	<TT
CLASS="FILENAME"
>/etc/skel</TT
> as small as possible, since it
	will be next to impossible to update existing users' files. For
	example, if the name of the friendly editor changes, all existing
	users would have to edit their <TT
CLASS="FILENAME"
>.profile</TT
>. The
	system administrator could try to do it automatically, with a
	script, but that is almost certain going to break someone's file.
	</P
><P
> Whenever possible, it is better to put global configuration
	into global files, such as <TT
CLASS="FILENAME"
>/etc/profile</TT
>. This
	way it is possible to update it without breaking users'
	own setups.  </P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="MANUAL-ADDUSER"
>11.2.4. Creating a user by hand</A
></H2
><P
> To create a new account manually, follow these steps:


	<P
></P
><UL
><LI
><P
> Edit <TT
CLASS="FILENAME"
>/etc/passwd</TT
> with
	<B
CLASS="COMMAND"
>vipw</B
> and add a new line for the new account. Be
	careful with the syntax. <EM
>Do not edit directly with an
	editor!</EM
> <B
CLASS="COMMAND"
>vipw</B
> locks the file, so
	that other commands won't try to update it at the same time. You
	should make the password field be `<TT
CLASS="LITERAL"
>*</TT
>', so
	that it is impossible to log in.  </P
></LI
><LI
><P
> Similarly, edit <TT
CLASS="FILENAME"
>/etc/group</TT
>
	with <B
CLASS="COMMAND"
>vigr</B
>, if you need to create a new group
	as well.  </P
></LI
><LI
><P
> Create the home directory of the user with
	<B
CLASS="COMMAND"
>mkdir</B
>.  </P
></LI
><LI
><P
> Copy the files from
	<TT
CLASS="FILENAME"
>/etc/skel</TT
> to the new home directory.
	</P
></LI
><LI
><P
> Fix ownerships and permissions with
	<B
CLASS="COMMAND"
>chown</B
> and <B
CLASS="COMMAND"
>chmod</B
>. The
	<TT
CLASS="OPTION"
>-R</TT
> option is most useful.  The correct
	permissions vary a little from one site to another, but usually
	the following commands do the right thing:

<TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
><TT
CLASS="USERINPUT"
><B
>cd /home/newusername
chown -R username.group .
chmod -R go=u,go-w .
chmod go= .</B
></TT
></PRE
></FONT
></TD
></TR
></TABLE
>

	</P
></LI
><LI
><P
> Set the password with <B
CLASS="COMMAND"
>passwd</B
>.
	</P
></LI
></UL
>
	</P
><P
> After you set the password in the last step, the account
	will work. You shouldn't set it until everything else has been
	done, otherwise the user may inadvertently log in while you're
	still copying the files.  </P
><P
>	It is sometimes necessary to create dummy
	accounts
	
		<A
NAME="AEN2422"
HREF="#FTN.AEN2422"
>[2]</A
>
		
	that are not used by people. For example, to set up an anonymous
	FTP server (so that anyone can download files from it, without
	having to get an account first), you need to create an account
	called ftp. In such cases, it is usually not necessary to set
	the password (last step above).  Indeed, it is better not to, so
	that no-one can use the account, unless they first become root,
	since root can become any user.  </P
></DIV
></DIV
><H3
CLASS="FOOTNOTES"
>Notes</H3
><TABLE
BORDER="0"
CLASS="FOOTNOTES"
WIDTH="100%"
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="5%"
><A
NAME="FTN.AEN2369"
HREF="x2331.html#AEN2369"
>[1]</A
></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="95%"
><P
>Yes, this means that the
		password file has all the information about a user
		<EM
>except</EM
> his password. The wonder
		of development.</P
></TD
></TR
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="5%"
><A
NAME="FTN.AEN2422"
HREF="x2331.html#AEN2422"
>[2]</A
></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="95%"
><P
>Surreal users?</P
></TD
></TR
></TABLE
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="x2324.html"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="x2424.html"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>What's an account?</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="c2318.html"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Changing user properties</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>